Routing - Unable to Access computers behind LAN

[testmiss123]

Hi,

I am new to OpenVPN and Networking and so am having a lot of trouble trying to access computers on LAN via OpenVPN Server. Can some one help me? Here's my scenario. I have 3 computers, Ubuntu 11.10 server, CentOS 6.2 server and a windows 7 laptop connected to my Cisco Valet Router. I have installed Open VPN server on the Ubuntu machine and Open VPN client on my windows laptop and I am able to connect to the Ubuntu machine via OpenVPN without any issue. My problem arises when I try to connect to the CentOS machine via my Open VPN client on Windows 7. I just can't connect to it at all via Open VPN. Both CentOS and Ubuntu have static IP addresses while Windows 7 is DHCP. My CentOS IP address is 192.168.1.20 (ifconfig result) while my Ubuntu VPN server's IP is 192.168.1.21 (ifconfig result). The Ubuntu VPN server Tunnel IP is 10.8.0.1. Mask is 255.255.255.0 (ifconfig result) on both computers. My router's Gateway is 192.168.1.1 and subnet mask is 255.255.255.0. I tried to add static route on my router by giving Route Name: VPN, Destination IP: 192.168.1.20, Subnetmask 255.255.255.0, Gateway 192.168.1.1 and interface: LAN/Wireless, but I get Invalid static route Error. What am I doing wrong? Please help!!!

Here's my server.conf file

Code: Select all

# Which local IP address should OpenVPN
# listen on? (optional)
;local a.b.c.d
port 1194
# TCP or UDP server?
;proto tcp
proto udp
;dev tap
dev tun
;dev-node MyTap

ca ca.crt
cert server.crt
key server.key  # This file should be kept secret
dh dh1024.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
;server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100
;server-bridge
;push "route 192.168.10.0 255.255.255.0"
;push "route 192.168.20.0 255.255.255.0"
push "route 192.168.1.20 255.255.255.0"

;client-config-dir ccd
;route 192.168.40.128 255.255.255.248
route 192.168.0.0 255.255.255.248

client-config-dir ccd
;route 10.9.0.0 255.255.255.252
# Then add this line to ccd/Thelonious:
#   ifconfig-push 10.9.0.1 10.9.0.2

;learn-address ./script

;push "redirect-gateway def1 bypass-dhcp"

;push "dhcp-option DNS 208.67.222.222"
;push "dhcp-option DNS 208.67.220.220"

;client-to-client

;duplicate-cn

keepalive 10 120

;tls-auth ta.key 0 # This file is secret

;cipher BF-CBC        # Blowfish (default)
;cipher AES-128-CBC   # AES
;cipher DES-EDE3-CBC  # Triple-DES

comp-lzo
;max-clients 100

;user nobody
;group nogroup

persist-key
persist-tun

status openvpn-status.log

;log         openvpn.log
;log-append  openvpn.log

verb 3

;mute 20

My client.conf file

Code: Select all

client

;dev tap
dev tun

;dev-node MyTap

;proto tcp
proto udp

remote ABC123.dyndns.org 1194
;remote my-server-2 1194

;remote-random
resolv-retry infinite

nobind

;user nobody
;group nogroup

persist-key
persist-tun

;http-proxy-retry # retry on connection failures
;http-proxy [proxy server] [proxy port #]
;mute-replay-warnings

ca ca.crt
cert abc1234.crt
key abc1234.key

ns-cert-type server
;tls-auth ta.key 1

;cipher x

comp-lzo

# Set log file verbosity.
verb 3

# Silence repeating messages
;mute 20

[maikcat]

hi there,

first change this

push "route 192.168.1.20 255.255.255.0"

to this

push "route 192.168.1.0 255.255.255.0"

second check if ip forwarding is enabled on openvpn server
third check the firewalls on both centos & ubuntu
fourth are you running openvpn on 7 with admin rights?

Michael.

[testmiss123]

I will try your suggestion and change to: push "route 192.168.1.0 255.255.255.0".

As for IP forwarding. Yes I have done this. As for firewall, my centOS server is minimal install and so I don't think the firewall is enabled. As for Ubuntu, I will disable the firewall to do some testing. Here are some additional steps that I have done.

1. IP forwarding on my Ubuntu VPN server by editing the /etc/sysctl.conf file and setting net.ipv4.ip_forward = 1 and then executing the command sysctl -p.

2. created the directory ccd under /etc/openvpn.

3. Then I went to the ccd directory (cd /etc/openvpn/ccd) and added the client file, abc1234 (abc1234.key is the name of my certificate file on my laptop client) with the following content:
iroute 192.168.0.0 255.255.255.0 ( this is what saw in OpenVPN wiki. this line is a blind copy)
ifconfig-push 10.8.0.4 10.8.0.16 (I put 10.8.0.4 because thats what I saw in
ipp.txt against abc1234 and 10.8.0.16 is
arbitrary. I thinking that the next person who may connect will have
an IP less than 10.8.0.16 and greater than 10.8.0.4? am I correct?)

4. I have forwarded (on my router thru port forwarding) the ports 80, 443 and 1194 on my Ubuntu OpenVPN server. However, I have not forwarded any ports from my CentOS machine. Should I forward these ports as well? Also, I did NOT install OpenVPN on centOS. Is this OK?

[testmiss123]

I will try your suggestion and change to: push "route 192.168.1.0 255.255.255.0".

As for IP forwarding. Yes I have done this. As for firewall, my centOS server is minimal install and so I don't think the firewall is enabled. As for Ubuntu, I will disable the firewall to do some testing. Here are some additional steps that I have done.

1. IP forwarding on my Ubuntu VPN server by editing the /etc/sysctl.conf file and setting net.ipv4.ip_forward = 1 and then executing the command sysctl -p.

2. created the directory ccd under /etc/openvpn.

3. Then I went to the ccd directory (cd /etc/openvpn/ccd) and added the client file, abc1234 (abc1234.key is the name of my certificate file on my laptop client) with the following content:
iroute 192.168.0.0 255.255.255.0 ( this is what saw in OpenVPN wiki. this line is a blind copy)
ifconfig-push 10.8.0.4 10.8.0.16 (I put 10.8.0.4 because thats what I saw in
ipp.txt against abc1234 and 10.8.0.16 is
arbitrary. I thinking that the next person who may connect will have
an IP less than 10.8.0.16 and greater than 10.8.0.4? am I correct?)

4. I have forwarded (on my router thru port forwarding) the ports 80, 443 and 1194 on my Ubuntu OpenVPN server. However, I have not forwarded any ports from my CentOS machine nor does it have a webserver . Should I forward these ports as well? Also, I did NOT install OpenVPN on centOS. Is this OK?

[maikcat]

hi there,

As for firewall, my centOS server is minimal install and so I don't think the firewall is enabled

centos 6 AFAIK by default has selinux & firewall on...check them out

Then I went to the ccd directory (cd /etc/openvpn/ccd) and added the client file, abc1234 (abc1234.key is the name of my certificate file on my laptop client) with the following content:
iroute 192.168.0.0 255.255.255.0 ( this is what saw in OpenVPN wiki. this line is a blind copy)

the iroute statement is used in conjuction with route statement,the iroute
inside ccd file & the route inside server config.
the purpose of iroute is to enable routing when using openvpn in lan to lan scenarios.

ifconfig-push 10.8.0.4 10.8.0.16

when using tun & mode p2p the above is wrong...
please use something like

ifconfig-push 10.8.0.10 10.8.0.9

0.10 is for your client

the purpose of ccd files is so that clients use "static" vpn ips
and for passing specific options to specific clients.

4. I have forwarded (on my router thru port forwarding) the ports 80, 443 and 1194 on my Ubuntu OpenVPN server. However, I have not forwarded any ports from my CentOS machine nor does it have a webserver . Should I forward these ports as well? Also, I did NOT install OpenVPN on centOS. Is this OK?

only vpn service port is needed to forwarded to openvpn server itself.

Michael.

[testmiss123]

Hi Michael,

Thanks for your reply. I have some questions for you.

1. should ifconfig-push 10.8.0.10 10.8.0.9 line be in the server.conf or should it be in the ccd file?

2. 10.8.0.10 is my static client IP. Then what is 10.8.0.9? and why is it used?

3. I don't have OpenVPN installed on my CentOS machine at the moment. I assume that I need to install it before it can work. Correct?

4. Do I also need to install a webserver such as apache on CentOS for OpenVPN to work?

The other thing that I found during my OpenVPN server installation on Ubuntu was that I needed to forward port 443 (https) as well (in addtion to 1194 VPN server port). Without it I could not connect.

I am going to try your suggestions today.

Emmanuel

[testmiss123]

Hi Michael,

I disabled all the firewalls and did all the changes that you had suggested. I disabled them on CentOS, Ubuntu (Openvpn server) and on latop. Now I can connect (trace route) from CentOS to Ubuntu VPN server and vice versa. I also can trace route from my laptop to Ubuntu and vice versa. However, I CANNOT connect or trace route from my windows laptop to CentOS or vice versa. This is the most important aspect of the setup. I want to connect from my laptop to CentOS.

From Trace Route I got CentOS IP as 10.8.0.10 and My Laptop IP as 10.8.0.6 and The Ubuntu VPN server is 10.8.0.1. Below is the trace route information that I obtained. For your convenience, I am also posting the updated server and the 2 client configuration files as well the updated client files in the ccd directory. Can you help me to connect from my Laptop to the CentOS machine, because this is the most important part of this setup. Also, will the 10.8.0.10 and the 10.8.0.6 values change or will they remain static.

Code: Select all

Trace Route From Windows Laptop                                        ||   Trace Route From CentOS
                                                                       ||   
#Here I am Tracing the Ubuntu Open VPN Sever.                          ||   #Here I am Tracing the Ubuntu Open VPN Sever.
C:\>tracert 10.8.0.1                                                   ||   [root@centos62]# tracepath 10.8.0.1
                                                                       ||    1:  10.8.0.10 (10.8.0.10)                                  0.165ms pmtu 1500
Tracing route to UBUNTU-VPN-SERVER [10.8.0.1]                          ||    1:  10.8.0.1 (10.8.0.1)                                    1.038ms reached
over a maximum of 30 hops:                                             ||    1:  10.8.0.1 (10.8.0.1)                                    0.756ms reached
                                                                       ||        Resume: pmtu 1500 hops 1 back 64
  1     9 ms     4 ms     4 ms  UBUNTU-VPN-SERVER [10.8.0.1]           ||   
                                                                       ||   #Here I am Tracing My Home Latop.
Trace complete.                                                        ||   [root@centos62]# tracepath 10.8.0.6
                                                                       ||    1:  centos62 (192.168.1.20)                                0.168ms pmtu 1500
#Here I am Tracing My Home Latop.                                      ||    1:  192.168.1.1 (192.168.1.1)                              0.736ms
C:\>tracert 10.8.0.6                                                   ||    1:  192.168.1.1 (192.168.1.1)                              0.630ms
                                                                       ||    2:  192.168.1.21 (192.168.1.21)                            3.242ms asymm  1
Tracing route to HOME-LAPTOP [10.8.0.6]                                ||    3:  no reply
over a maximum of 30 hops:                                             ||    4:  no reply
                                                                       ||    5:  no reply
  1    <1 ms    <1 ms    <1 ms  HOME-LAPTOP [10.8.0.6]                 ||   
                                                                       ||   #Here I am Tracing My CentOS 6.2 Server.
Trace complete.                                                        ||   [root@centos62]# tracepath 10.8.0.10
                                                                       ||    1:  10.8.0.10 (10.8.0.10)                                  0.117ms pmtu 16436
#Here I am Tracing My CentOS 6.2 Server.                               ||    1:  10.8.0.10 (10.8.0.10)                                  0.047ms reached
C:\>tracert 10.8.0.10                                                  ||    1:  10.8.0.10 (10.8.0.10)                                  0.049ms reached
                                                                       ||        Resume: pmtu 16436 hops 1 back 64
Tracing route to 10.8.0.10 over a maximum of 30 hops                   ||   	 
                                                                       ||   	 
  1    22 ms     3 ms     3 ms   [192.168.1.1]                         ||   	 
  2     3 ms     3 ms     3 ms  UBUNTU-VPN-SERVER [192.168.1.21]       ||
  3     *        *        *     Request timed out.                     ||
  4     *        *        *     Request timed out.                     ||

-----------------------------------------------------------------------||--------------------------------------------------------------------------------------  
As you can see I am able to trace the Ubuntu VPN server, but not the   ||As you can see I can trace ubuntu VPN server and the CentOS but not Windows Laptop.
CentOS server.  I can also trace my laptop.                            ||---------------------------------------------------------------------------------------
-----------------------------------------------------------------------||   



Trace From Open VPN Ubuntu Server

#Here I am Tracing My CentOS 6.2 Server. 
root@ubuntu:/etc/openvpn/ccd# tracepath 10.8.0.10
 1:  10.8.0.1                                              0.251ms pmtu 1500
 1:  10.8.0.10                                             1.391ms reached
 1:  10.8.0.10                                             1.264ms reached
     Resume: pmtu 1500 hops 1 back 64

#Here I am Tracing My Home Latop.	 
root@ilangko:/home/eilangko/os_changes# tracepath 10.8.0.6
 1:  10.8.0.1                                              0.308ms pmtu 1500
 1:  10.8.0.6                                             91.961ms reached
 1:  10.8.0.6                                              5.029ms reached
     Resume: pmtu 1500 hops 1 back 128

#Here I am Tracing the Ubuntu Open VPN Sever. 
root@ubuntu:/etc/openvpn/ccd# tracepath 10.8.0.1
 1:  10.8.0.1                                              0.227ms reached
     Resume: pmtu 65535 hops 1 back 64

------------------------------------------------------------------------------------------------------
As you can see I am able to trace CentOS and the Windows Laptop.  
----------------------------------------------------------------------------------------------------

Code: Select all

server.conf  on Ubuntu Open VPN Server  ||   CentOS client.conf              ||   Windows Laptop myconfig.ovpn
                                        ||                                   ||   
port 1194                               ||   client                          ||   client
proto udp                               ||   dev tun                         ||   dev tun
dev tun                                 ||   proto udp                       ||   proto udp
ca ca.crt                               ||   remote ABC123.dyndns.org 1194   ||   remote ABC123.dyndns.org 1194
cert server.crt                         ||   resolv-retry infinite           ||   resolv-retry infinite
dh dh1024.pem                           ||   nobind                          ||   nobind
server 10.8.0.0 255.255.255.0           ||   persist-key                     ||   persist-key
ifconfig-pool-persist ipp.txt           ||   persist-tun                     ||   persist-tun
push "route 192.168.1.0 255.255.255.0"  ||   ca ca.crt                       ||   ca ca.crt
route 192.168.0.0 255.255.255.248       ||   cert centos62.crt               ||   cert abc1234.crt
client-config-dir ccd                   ||   key centos62.key                ||   key abc1234.key
keepalive 10 120                        ||   ns-cert-type server             ||   ns-cert-type server
comp-lzo                                ||   comp-lzo                        ||   comp-lzo
persist-key                             ||   verb 3                          ||   verb 3
persist-tun                             ||                                   ||       
status openvpn-status.log               ||                                   ||       
verb 3                                  ||                                   ||       


ccd directory on Ubuntu- /etc/openvpn/ccd
I have 2 files 

centos62 (centos client key) and abc1234 (windows laptop client key)

root@ubuntu:/etc/openvpn/ccd# more centos62
ifconfig-push 10.8.0.10 10.8.0.9
iroute 192.168.0.0 255.255.255.0

root@ubuntu:/etc/openvpn/ccd# more abc1234
ifconfig-push 10.8.0.6 10.8.0.5
iroute 192.168.0.0 255.255.255.0

[maikcat]

many questions i will try to keep up...

1. should ifconfig-push 10.8.0.10 10.8.0.9 line be in the server.conf or should it be in the ccd file?

i didnt clarify it,place it inside ccd file

2. 10.8.0.10 is my static client IP. Then what is 10.8.0.9? and why is it used?

tun interfaces are point to point interfaces, .10 is for client .9 is for server endpoint
please read docs...

3. I don't have OpenVPN installed on my CentOS machine at the moment. I assume that I need to install it before it can work. Correct?

if it is on the same lan with ubuntu (the openvpn server) then no,just configure routing right.

4. Do I also need to install a webserver such as apache on CentOS for OpenVPN to work?

what apache has to do with openvpn? the answer is no..

Michael.

[maikcat]

generally speaking if you want clients to be able to see each other
use client-to-client directive in server config.

also enable ip forwarding on openvpn server.
iroute is for enabling lan-to-lan connections,
you cant use the same iroute for 2 different clients...

try setting a static route on centos for net 10.8.0.0 255.255.255.0
pointing to your ubuntu server.

stupid question: centos & ubuntu are in same network ,right?

Michael.

[testmiss123]

Hi Michael,

Thanks for your help. I just needed to un-comment the line client-to-client in my server.conf file. Now everything works as intended.

Emmanuel

[testmiss123]

Yes. CentOS and Ubuntu are on the same LAN. I installed OpenVPN client on centos. After the installation things started to work. Now, are you saying that if they are on the same LAN then there is no need for OpenVPN client on CentOS?

[maikcat]

Now, are you saying that if they are on the same LAN then there is no need for OpenVPN client on CentOS?

yeap,you have to configure routing correctly though...

the basic steps are:

enable ip forwarding on vpn server
push a route for private lan to your openvpn clients
add a static route for the vpn network to your pc behind openvpn server pointing to your openvpn servers lan ip.

Michael.

[testmiss123]

Hi Michael,

I am planning on adding a Windows Server to this VPN network. So for me to not install a VPN client on the Windows machine and yet being able to connect to it from my laptop client, I will perform the following steps:

1. I keep the current configuration as they are, including the static route setting. (sever.conf info is posted above in this thread)
2. Generate a new certificate. (If you are saying that no need for VPN client on Windows, then why a certificate?)
3. Create a file with key file's common name and put it in the ccd directory in the VPN server.
ccd file content: ifconfig-push 10.8.0.12 10.8.0.11 ( I already have another client (CentOS) with ifconfig-push 10.8.0.10 10.8.0.9)
iroute 192.168.0.0 255.255.255.0
4. Don't I need a client.conf file on my Windows Server? (But if you are saying no need to install VPN client, then where would I put this client.con?)

My Current Static Route Settings on my router is as follows:

Route Name : VPN
Destination IP : 10.8.0.0
Subnetmask : 255.255.255.0
Gateway : 192.168.1.21 (This is the IP address of OpenVPN Ubuntu Server)
Interface : LAN/Wireless,

Do I have to change these static route settings for VPN to work without installing VPN client on Windows?

[maikcat]

can you pleeease draw a simple schematic with *ALL* your servers
and i will give you configs/static routes etc..


regards,

Michael.